Smart devices number in the tens of billions, all of them communicating with and facilitating access to websites and digital services, from public ones like accessing social media, to sensitive operations like private email access, online banking and processing medical data.
These communications are all reliant on Public Key Infrastructure (PKI) in which Public Certificate Authorities (CAs) oversee the provisioning of digital certificates , ensuring the entities running and accessing these services are who they claim to be, securing the connections between them. On the public web, it’s crucial that these connections are not only secure, but trusted.
The Many Aspects of Public Trust
What is Trust?
In the context of an SSL / TLS connection, trust revolves around a client's confidence in the identity of the server or other party with which it's communicating. To understand how that trust is established, let’s explore some of the language around trust.
Assurance
Assurance helps us to establish who and what is trustworthy. When you are handed a signed document, there are a few factors that can assure you that the signature is legitimate, for example, if you personally know and trust the person handing you the document, if it contains a notarized stamp or seal, or if the signing process is recorded and time stamped. Each of these actions provides an extra layer of assurance for the recipient, increasing trust.
General Assurance
In the example above, general assurance is taking someone’s word that the document is genuine. While knowing the individual marginally increases assurance, it still falls under general assurance.
High Assurance
If the signed document has been notarized, there is high assurance that the document and signature in question are genuine. Even without knowing the notary public personally, checks can be performed to verify that the notary is registered with the relevant government office. Many states also require notaries to keep a log which can further assist in verification. Having video evidence would bring us to near certainty.
Still, there are potential issues such as video quality, misidentification, editing, and deepfakes, which can cast some doubt.
Cryptographic Certainty
If we watched recorded footage of a signing process, we could establish from context the legitimacy of the signed document. A timestamp indicates that the video is unedited and took place at that time. We can also ascertain that the document, signature and notary’s countersignature match the one in the video. We could also then confirm this by corroborating it with the notary office’s logs.
If the document was altered or the notary’s license was expired at the time of signing, there would no longer be any assurance and the document, and signature, would be void. This is effectively what we get with Cryptographic Certainty, which describes the highest level of assurance wherein we can guarantee that a communication or piece of data has not been tampered with and comes from a trusted source.
Offline Trust vs. Digital Trust
Offline, we can observe aspects of our environment to confirm that we are in the right place, speaking to the right people - such as a doctor in a doctor’s office. The online world has removed us from in-person environments, presenting a challenge to proving we are in the correct digitally equivalent space. Fortunately, we can leverage automation to perform these requisite checks, and bring a high level of assurance and trust suitable for the online world.
Public Trust vs. Private Trust
When checking in at an airport or opening a bank account, some form of identity verification is required. Acceptable forms of ID are typically issued by state or federal municipalities such as a driver’s license or passport, which makes them versatile in their use because they are publicly trusted.
A private trust equivalent would be an employer-issued badge or ID. You cannot use employee ID to open a bank account, but an employee ID has strength in the right context. It’s controlled by the employer and lets others know you are permitted to be on the premises. A driver’s license might show an employer who you are, but it does not show them that you belong on the premises.
Both also demonstrate digitally applicable uses. Different certificates will have different applications of trust depending on what they are for and who they are provided with. Certificates are issued for both internal and external purposes – some may be publicly trusted, while others may not.
Now that we have established traditional assurance hierarchies, let’s establish who plays these roles online, rather, who are the ‘notaries’ of the internet?
Trust in Public Certificate Authorities
Traditionally we may leverage a notary public or letters of attestation from a lawyer; in the online world we turn to Public Certificate Authorities. Notaries earn trust by satisfying the requirements of their jurisdiction and registering with the proper authorities. This trust is applied using their seal and signature on documents.
Similarly, Public CAs earn trust by meeting strict security and compliance requirements set forth by "Root Store Operators”. Some examples of Root Store operators are Adobe, Apple, Google, Microsoft, and Mozilla. A CA’s presence in one or more of these root stores establishes the degree of root ubiquity.
The trust granted to Public CAs through these root programs is inherited down to the digital certificates they issue.
Digital Certificates
Digital Certificates are digital documents conforming to the X.509 standard and can be split into two main categories: server certificates and client certificates. Digital certificates contain a public key and a set of standard fields defining the purpose of the cert, validity period, and many other details, including the entity or entities to which it is issued. The information within the certificate is digitally signed by the CA, giving it trust.
Server certificates, also called SSL or TLS certificates, attest to the identity of a server. When a client connects to the website, e.g., https://www.globalsign.com, the TLS certificate and protocol ensure confidentiality, integrity, and authenticity in data transmission.
Where a TLS certificate authenticates a server, a client certificate attests to other entities such as individuals, email addresses, organizations, or other parties. Client certificates are leveraged for signing digital objects such as CAD drawings, documents, emails, and code, they encrypt email and other data, and can be used for authenticating a client to a server.
Establishing Trust
A TLS certificate may purport to certify a particular website, but how can we trust that the certificate belongs to the party with control of that website and not an imposter?
When a client connects to the website, the browser will check to see which CA signed and issued the certificate. Typically, this is an intermediate certificate. These intermediate certificates are in turn signed and issued by a Root CA certificate. The sequence of tying the TLS certificate through one or more intermediate certificates and ultimately to a Root CA is called Chain of Trust. If the Root CA is held in the browser’s Trusted Root Store, this is a trusted certificate.
Bringing it all Together
When we have a TLS certificate issued to the website, the CA has validated that its requestor exhibits control of the domain and possession of the private key. The certificate is signed by the CA and now has a chain of trust back to its root certificate which is also part of a Root Program. The browser can validate all of this and confirm that the certificate is neither expired nor revoked. With a TLS connection established, we have the assurance of all the above and a secure connection ensuring data transmitted is encrypted and unaltered from its source.
Verifying every in-person interaction with ID, and then verifying the validity of that ID in the offline world would be extremely impractical for day-to-day applications, but, in the digital world, we can automate equivalents of these checks and bring high assurance to digital interactions.
Trust is the foundation on which all the world’s transactions and communications are built, both in the physical and digital space. Without trust, we are unable to guarantee the protection of our data and assets, and many of the processes for these communications would fall through.
When conducting business transactions organizations depend on the assurance of trust between themselves and partners to ensure that business operations continue without disruption. Similarly, organizations must work with a trusted Certificate Authority to ensure the security of their data, communications and digital transactions.
To learn more about embedding trust into your organization, talk to our expert team